Commit Graph

1111 Commits

Author SHA1 Message Date
Isaac Connor 46c6735311 Missing namespace on filter. Fixes #2541 2019-02-24 10:02:49 -05:00
Isaac Connor fd310c0f0a Merge branch 'master' into storageareas 2019-02-22 11:33:47 -05:00
Isaac Connor 2b90bf15a6
Improve session (#2487)
* Introduce ZM_COOKIE_LIFETIME which sets the life of the SESSION cookie, instead of using what is in php.ini

* Use zm specific session functions, which are now located in includes/session.php.  Be more agressive about clearing session on logout.

* Move session code to includes/session.php

* remove duplicate line

* Move is_session_open to session.php.  Move code to clear a session into session.php

* improve debug line when there is a problem updating config entry

* split description into description and help text for COOKIE_LIFETIME

* Remove redirect on line.  We do it in javascript on postlogin view so that we can say logging in before switching to console

* If there is a username in the session, then we are logged in, but we need to load the user object from the db.  We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request.

* Use session_regenerate_id instead of our broken code to do the same

* Move auth code to includes/auth.php

* add autocomplete tags to username and password inputs

* Don't redirect to login if we are already viewing login.  Put auth before including skin includes

* need to include session.php in auth.php

* update to php namespace
2019-02-22 09:43:38 -05:00
Isaac Connor 410cb70ddb
get rid of js that just does the form submit. Upgrade the button from an input to a button. Use 0 and 1 instead of accept and decline, which allows us to pre-select the current value of ZM_TELEMETRY_DATA. So that if you had previously declined, you won't accidentally accept. This fixes the reported error that choosing decline would cause the setting to not be saved and the privacy popup to happen again. (#2534) 2019-02-22 09:20:54 -05:00
Isaac Connor 8dd8888975
Php namespace (#2537)
* experiment with namespaces on the Server class

* experiment with namespaces on the Server class

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects
2019-02-22 09:19:07 -05:00
Isaac Connor 8837015239 remove bogus test for Filter Id 2019-02-19 13:54:25 -05:00
Isaac Connor 6d1541a4d2 Merge branch 'fix_privacy_view' into storageareas 2019-02-19 12:57:01 -05:00
Isaac Connor 97a888c0db get rid of js that just does the form submit. Upgrade the button from an input to a button. Use 0 and 1 instead of accept and decline, which allows us to pre-select the current value of ZM_TELEMETRY_DATA. So that if you had previously declined, you won't accidentally accept. This fixes the reported error that choosing decline would cause the setting to not be saved and the privacy popup to happen again. 2019-02-19 12:54:12 -05:00
Isaac Connor 5029d7214a Merge branch 'master' into storageareas 2019-02-18 17:00:45 -05:00
Mitch Capper b646284da3 don't quote dbEscape values it will quote it already (#2529) 2019-02-17 11:31:28 -05:00
Isaac Connor b25770a2f0 Merge branch 'master' into storageareas 2019-02-13 11:52:31 -05:00
Isaac Connor d0745da11c fix path to Control.php 2019-02-13 11:52:16 -05:00
Isaac Connor dd641793a2 Merge branch 'improve_session' into storageareas 2019-02-13 11:17:30 -05:00
Isaac Connor 91a280e56e need to include session.php in auth.php 2019-02-13 11:17:15 -05:00
Isaac Connor a3374aa26c Merge branch 'reload_zmfilter_on_filter_save' into storageareas 2019-02-11 13:26:53 -05:00
Isaac Connor 5695be9f32 rough in a control function in Filter object. Use it to start/stop zmfilter processes when filters are deleted or Saved. 2019-02-11 13:21:00 -05:00
Matthew Noorenberghe cdbd59f054 bandwidth.php: Submit to the 'bandwidth' view but render the 'none' view. Fixes #2493 2019-02-10 13:22:08 -08:00
Isaac Connor 555cb4780d Merge branch 'master' into storageareas 2019-02-10 12:37:45 -05:00
Matthew Noorenberghe a6ee79f428 Fix typo in dbc1c7b72f comment 2019-02-09 22:40:39 -08:00
Matthew Noorenberghe dbc1c7b72f Only output the CSRF Try Again button (and add a warning) when ZM_LOG_DEBUG is on. Fixes #2469 2019-02-09 22:39:54 -08:00
Matthew Noorenberghe a97711de89 Replace or sanitize remaining uses of PHP_SELF. Fixes #2446 2019-02-09 22:12:36 -08:00
Matthew Noorenberghe effd609ff7 Escape output of state names. Fixes #2475 2019-02-09 20:40:08 -08:00
Matthew Noorenberghe c9d597dced logger.php: Don't output Panic messages unless debugging is on. Fixes #2460 2019-02-09 18:51:30 -08:00
Matthew Noorenberghe 6d2f3c265f events.php: Remove inline event handlers and enforce CSP 2019-02-09 17:34:59 -08:00
Matthew Noorenberghe fcbc22b6a2 functions.php: Ensure 'limit' request parameter is an integer. Fixes #2456 2019-02-09 17:27:47 -08:00
Matthew Noorenberghe 502f53fad0 functions.php: Fix SQLi in getFormChanges 2019-02-09 17:15:02 -08:00
Matthew Noorenberghe 254b7286b4 monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451 2019-02-09 16:41:54 -08:00
Matthew Noorenberghe b2a97ee190 frame.php: Fix multiple XSS from 'show' and 'scale' parameters and enforce CSP.
Fixes #2448, fixes #2449, and fixes #2447.
2019-02-09 15:10:45 -08:00
Matthew Noorenberghe c8066919ff functions.php: Esacepe textContent in htmlOptions() 2019-02-09 14:14:46 -08:00
Matthew Noorenberghe 98e0a0d2c5 Don't output Fatal(...) error messages unless debugging is on to avoid leaking info. Fixes #2459 2019-02-09 02:18:57 -08:00
Matthew Noorenberghe 02f09aad7f view=export: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2443 2019-02-09 02:01:26 -08:00
Matthew Noorenberghe 0b38e72f88 view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441 2019-02-09 01:16:32 -08:00
Isaac Connor d33e094526 Merge branch 'master' into storageareas 2019-02-06 17:03:41 -05:00
Isaac Connor 8e62c93f5f add to_json function to Storage. 2019-02-06 11:44:36 -05:00
Isaac Connor d121ecab75 Merge branch 'improve_session' into storageareas 2019-02-05 15:48:42 -05:00
Isaac Connor 141f2afc8c Merge branch 'master' into storageareas 2019-02-05 15:46:58 -05:00
Isaac Connor 21702dcc68 Merge branch 'master' into improve_session 2019-02-05 12:35:29 -05:00
Isaac Connor c54fe7e89a fix state actions 2019-02-05 12:35:06 -05:00
Isaac Connor cb0d9325e6 Use session_regenerate_id instead of our broken code to do the same 2019-02-05 11:45:09 -05:00
Isaac Connor 2466d765bf If there is a username in the session, then we are logged in, but we need to load the user object from the db. We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request. 2019-02-05 11:44:45 -05:00
Isaac Connor 5a9083fe86 Remove redirect on line. We do it in javascript on postlogin view so that we can say logging in before switching to console 2019-02-05 11:40:58 -05:00
Isaac Connor 97e3a8178a use session_regenerate_id instead of other strange code 2019-01-30 16:08:09 -05:00
Isaac Connor b09a71d0e2 code style 2019-01-30 16:06:16 -05:00
Isaac Connor 71f961d012 remove redirect to console on login, as it is done in javascript after Logging in message is displayed 2019-01-30 16:05:51 -05:00
Isaac Connor 4e10e6f0ae Merge branch 'improve_session' into storageareas 2019-01-30 15:26:37 -05:00
Isaac Connor 9a3aa49bae Merge branch 'fix_bandwidth' into storageareas 2019-01-30 15:18:16 -05:00
Isaac Connor 533d021dea Merge branch 'master' into storageareas 2019-01-30 15:17:27 -05:00
Isaac Connor 604dbf8776 fix state changing/etc 2019-01-30 14:36:46 -05:00
Isaac Connor 2e2404643f Fix bandwidth due to new actions code. Update buttons on bandwidth popup 2019-01-30 13:20:24 -05:00
Isaac Connor cc0b5e0f1f Move is_session_open to session.php. Move code to clear a session into session.php 2019-01-30 12:52:01 -05:00
Isaac Connor 0eba430932 remove duplicate line 2019-01-30 11:05:43 -05:00
Isaac Connor 85bb70df68 Use zm specific session functions, which are now located in includes/session.php. Be more agressive about clearing session on logout. 2019-01-30 11:05:19 -05:00
Matt N 8c5687ca30 Fix name/protocol XSS in controlcaps.php. Fixes #2445 (#2479) 2019-01-25 08:35:07 -05:00
Matt N fd6179d7c8 Enforce CSP on many more views (#2480) 2019-01-25 08:34:29 -05:00
Matthew Noorenberghe 47d8c9b066 plugin.php: Remove undefined onclick function reference and enforce CSP
Also fix tag closing.
2019-01-23 19:47:58 -08:00
Isaac Connor 6eb4d7ae27
Filter improvements (#2438)
* Put back code to close the popup when view is none

* clean up and reduce depth of some logic

* Increase width of user popup

* fix code style

* Make execute_filter work on a filter Id instead of name

* rework logic to reduce code depth. Change view to events to display the results of execute.

* Change the redirect to stay on the new view.  When redirecting from executing a filter, it was redirecting to filter.

* Set a form action for correctness. Change execute button to a button instead of a submit. Stay on the filter view when executing
2019-01-23 11:30:51 -05:00
Isaac Connor cc8de69eba Merge branch 'master' into storageareas 2019-01-22 11:44:42 -05:00
Isaac Connor ae703c45ee Set closePopup=true so that we don't need code in the none view to close the popup. The common code in skin.js will take care of it. 2019-01-22 09:14:33 -05:00
Matt N 0619a4a161 Validate cnj, obr, and cbr arguments in parseFilter (#2434) 2019-01-22 08:03:25 -05:00
Isaac Connor 7260f823cb Merge branch 'master' into storageareas 2019-01-21 13:52:38 -05:00
Isaac Connor a2d4dc974b Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-21 11:19:07 -05:00
Isaac Connor fbc236128e add a function to format a time into a duration. Can't use date() because 0 doesn't give us 00:00:00 it gives 19:00:00 2019-01-21 11:16:14 -05:00
Isaac Connor b24b930f65 After login go to postlogin, not console. the login view is in a popup so we want to close 2019-01-21 11:15:36 -05:00
Matt N d7ebc85d81 Replace remaining `console` inline event handlers (#2432)
* Use a hidden submit button in _monitor_filters rather than onkeydown

* events/console: Convert checkbox header toggle inline event listeners
2019-01-21 11:11:40 -05:00
Matt N 35fb4366b6 Fix recaptcha support with the CSP (#2420) 2019-01-19 09:47:04 -05:00
Matt N 4e48939660 Add a validateForm event listener and enforce CSP on some views (#2425)
* Add a validateForm event listener and enforce CSP on the controlcap view

* filter.php: Use .validateFormOnSubmit

* server.php: Use .validateFormOnSubmit and fix makePopupButton condition check

* Use .validateFormOnSubmit and enforce CSP on the storage view
2019-01-19 09:41:53 -05:00
Isaac Connor 552e14a971 Merge branch 'master' into storageareas 2019-01-18 10:36:59 -05:00
Matt N 6bb5aa1b87 More inline JS / nonce conversions (#2415)
* monitor.php: Add nonce and move <script> inside </body>

* export_functions.php: Untested: Add @nonce to <script>

* blank.php: Add @nonce to <script> and add to CSP enforced views

* Enforce CSP on login and privacy views

* group.php: Add nonce and move <script> inside </body>

* filter.php: Add @nonce to <script>

* Fix updateButtons argument on the filter page upon change and page load

* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
Isaac Connor 599769b701 rework logic of functions to be more verbose about errors. Implement javascript Nonce support when view=none 2019-01-17 08:50:33 -05:00
Isaac Connor 87d1390fed Merge branch 'storageareas' into h265 2019-01-16 15:20:17 -05:00
Isaac Connor f49dd93b6a Merge branch 'master' into storageareas 2019-01-16 14:39:56 -05:00
Isaac Connor 1f3da476b8 switch to single quotes 2019-01-16 14:04:24 -05:00
Isaac Connor b1cc0c2b82 add CSP nonce to CSRF rewriting 2019-01-16 14:04:07 -05:00
Isaac Connor d8ef33396a If multi-port is on, we need to output CORS headers 2019-01-16 13:44:57 -05:00
Isaac Connor ba21820fd0 fix typo 2019-01-16 12:10:34 -05:00
Isaac Connor eee1d871e0 get rid of default value for PathToIndex so that it will use PHP_SELF instead 2019-01-16 12:09:26 -05:00
Matt N d33fec9c3f Add a CSP script-src policy with nonce-source and convert more inline event handlers (#2413)
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy

* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'

Only handle ones that don't return a value.

* Use @data-on-click to attach inline click event handlers with no args and no return value

* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument

* Enforce a script-src CSP on views without inline JS

* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
Isaac Connor fd696bc066 Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-15 11:38:56 -05:00
Isaac Connor 3182d8bab7 implement to_json method so that defaults get included 2019-01-15 11:36:56 -05:00
Andrew Bauer 07d8ac1d49 implement timezone check function (#2387)
* implement timezone check function

* remove comment

* also check if the timezone is valid

* whitespace
2019-01-15 09:05:11 -05:00
Matt N 083f284599 Replace onclick inline event handlers for createPopup (#2410)
* Move <script> before </body>

* Change makePopupLink to not use onclick

* Change makePopupButton to not use onclick

* Use .popup-link in control_functions.php

* Use makePopupButton in controlcaps.php

* Prevent double-encoding in makePopup*

* Use makePopupButton in devices.php

* Use makePopupButton in logout.php

* Use makePopupLink in monitor.php

* Use makePopupLink and .popup-link in montage.php

* Use makePopupButton in options.php

* Use makePopupButton, makePopupLink, and .popup-link in zones.php
2019-01-15 09:01:58 -05:00
Isaac Connor f726666f54 Merge branch 'master' into h265 2019-01-14 12:36:11 -05:00
Isaac Connor fc7403fe3d Merge branch 'master' into storageareas 2019-01-13 14:53:34 -05:00
Isaac Connor c834fbe462 the filter action should singular filter, not filters 2019-01-13 14:52:39 -05:00
Isaac Connor b373577589 fix function view after actions cleanup 2019-01-10 12:08:25 -05:00
Isaac Connor f3a807f1f8 Merge branch 'master' into storageareas 2019-01-07 09:21:25 -05:00
Isaac Connor b4f8500cb5 Merge branch 'split_actions' 2019-01-05 18:33:04 -05:00
Isaac Connor 3f10553464 Fix include path to Monitors.php 2019-01-05 18:32:53 -05:00
Isaac Connor 1a75cf333e Merge branch 'master' into storageareas 2019-01-05 11:12:38 -05:00
Isaac Connor e34a5e972a fix missing } 2019-01-05 11:12:26 -05:00
Isaac Connor 8eb61b1c11 Merge branch 'master' into storageareas 2019-01-05 10:16:38 -05:00
Isaac Connor 5b5905c83a We always use markEids[] now 2019-01-04 16:29:16 -05:00
Isaac Connor 0e20666992 fix eventdetail actions being in events 2019-01-04 15:43:31 -05:00
Isaac Connor ab198bfd75 remove master version of actions.php 2019-01-04 15:29:21 -05:00
Isaac Connor 52466c398b Merge branch 'split_actions' into storageareas 2019-01-04 15:28:55 -05:00
Isaac Connor b8d065275b Merge branch 'master' into storageareas 2019-01-04 15:22:18 -05:00
Isaac Connor e2f32ab091 Upgrade config saving 2019-01-04 09:43:36 -05:00
Isaac Connor 7ec96655c3 fix missing ! when testing for permission on editing config 2019-01-04 09:37:26 -05:00
Isaac Connor 5b9bf48945 Merge branch 'master' into split_actions 2019-01-04 09:35:54 -05:00
Isaac Connor 46adcbb66b Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-04 09:34:51 -05:00
Isaac Connor edeaa07c12 Fix no quotes around Id 2019-01-04 09:34:42 -05:00
Isaac Connor 6cad852e11 fix path to MontageLayout 2019-01-04 09:34:18 -05:00
Isaac Connor dbe9817bc8 Split actions.php into individual files per view 2019-01-04 09:26:34 -05:00
Isaac Connor 874930d8fc Merge branch 'master' into improve_config_efficiency 2019-01-02 13:07:53 -05:00
Isaac Connor 5060358870 Merge branch 'master' into storageareas 2018-12-29 09:56:53 -05:00
Andrew Bauer d14e9ecf74 force overloadframes and ExtendAlarmFrames to int (#2373) 2018-12-29 09:53:31 -05:00
Isaac Connor 1a1231fdaa Merge branch 'master' into storageareas 2018-12-28 10:47:27 -05:00
Andrew Bauer a029909972 fix path to thumb and anal images (#2367) 2018-12-28 10:46:13 -05:00
Andrew Bauer fb37fc48e1 update viewImagePatch (#2370) 2018-12-28 10:38:39 -05:00
Andrew Bauer 5f9a113da1
redirect to montage rather than montagereview 2018-12-26 10:34:01 -06:00
Isaac Connor 2b8fa653ed Merge branch 'small_groups_fixes' into storageareas 2018-12-24 09:48:36 -05:00
Isaac Connor e0cae5709f Group::find is now more powerful so we can just use it to return all Groups to be deleted 2018-12-24 09:39:40 -05:00
Isaac Connor 63199289ad Change depth function to be 0-based. 2018-12-24 09:38:55 -05:00
Isaac Connor 7a8beffdcc Merge branch 'master' into storageareas 2018-12-20 15:10:52 -05:00
Isaac Connor a277f697e9 whitespace 2018-12-20 14:58:38 -05:00
Isaac Connor 0bfe1007c8 Merge branch 'master' into storageareas 2018-12-14 10:16:08 -05:00
Mike Rosack 567b60ffa7 support for forwarded proto/port in Server.php (#2343) 2018-12-13 10:24:32 -05:00
Andrew Bauer 8d74354fcb
Merge pull request #2242 from connortechnology/cleanup_auth
Cleanup auth
2018-12-12 20:53:24 -06:00
Isaac Connor eba8b3327d Merge branch 'master' into cleanup_auth 2018-12-11 16:04:42 -05:00
Andrew Bauer 4d7e98475f
Merge pull request #2297 from connortechnology/introduce_getBodyTopHTML
Introduce get body top html
2018-12-11 09:35:54 -06:00
Isaac Connor c8c34d3f95 Merge branch 'master' into storageareas 2018-12-11 10:21:22 -05:00
Isaac Connor e1ecd47bff Fix missing use of UrlToApi 2018-12-11 09:40:40 -05:00
Isaac Connor a1141d2dc4 remove second use of HTTP_HOST and use a better method of stripping off port from HTTP_HOST 2018-12-07 08:39:23 -05:00
Isaac Connor 757e538550 strip port from HTTP_HOST 2018-12-06 17:12:03 -05:00
Isaac Connor bc5f8d0d8d rework pts/dts of audio stream. Spacing. Fix crash 2018-12-04 18:23:08 -05:00
Isaac Connor 2df6d74a3e Merge branch 'master' into storageareas 2018-12-02 17:15:12 -05:00
Andrew Bauer e327ad100e fix WebSite camera startup issue 2018-12-01 17:03:50 -06:00
Andrew Bauer cae6ffd5a3 use HTTP_HOST instead of SERVER_NAME 2018-12-01 13:27:08 -06:00
Isaac Connor 4272225a17 Merge branch 'master' into h265 2018-11-30 16:42:16 -05:00
Isaac Connor 7d90a56561 Merge branch 'master' into storageareas 2018-11-30 14:46:42 -05:00
Isaac Connor 8c626c984b Need to pass port through all Url functions 2018-11-30 14:45:58 -05:00
Isaac Connor fe45e83bb4 Fix PathToIndex 2018-11-29 15:54:25 -05:00
Isaac Connor 4cf7ff7fe4 Merge branch 'server_path_prefix' into storageareas 2018-11-29 15:53:58 -05:00
Isaac Connor 3bd5774ea1 Default to PathToIndex should have the index.php in it 2018-11-29 15:53:19 -05:00
Isaac Connor af2bb992e9 Merge branch 'server_path_prefix' into storageareas 2018-11-29 14:33:46 -05:00
Isaac Connor 1c17f334d3 fix missing bits. Implement UrlToIndex in Monitor and fix use of Url(). Implement PathToApi as well 2018-11-29 14:26:30 -05:00
Isaac Connor 4625f7c879 Merge branch 'master' into storageareas 2018-11-28 10:46:49 -05:00
Isaac Connor 1e915e9567 Merge branch 'master' into server_path_prefix 2018-11-28 10:45:36 -05:00
Isaac Connor 57acb2aac6 Merge branch 'server_path_prefix' into storageareas 2018-11-28 10:41:11 -05:00
Isaac Connor f8b2ff5c77 rework from Url() to PathToIndex(), PathToZMS(), UrlToIndex() and UrlToZMS() 2018-11-27 17:35:25 -05:00
Isaac Connor 17c1933913 remove an extra l 2018-11-26 16:20:15 -05:00
Isaac Connor 19f3cce41f Dont auto-guess pathPrefix 2018-11-23 13:54:14 -05:00
Isaac Connor 7ad19be0d7 Merge branch 'server_path_prefix' into storageareas 2018-11-23 13:29:01 -05:00
Isaac Connor dea5db9dd9 Merge branch 'zmaudit_check_other_storageareas' into storageareas 2018-11-23 11:11:39 -05:00
Isaac Connor c5f7fb7b18 Merge branch 'master' into server_path_prefix 2018-11-22 10:04:33 -05:00
Isaac Connor 62e511cfd1 Merge branch 'master' into h265 2018-11-17 10:41:20 -05:00
Isaac Connor 415d43fafb Include Server Name when testing for CORS. Also be case insensitive. 2018-11-15 12:23:52 -05:00
Isaac Connor e24a308481 Merge branch 'master' into h265 2018-11-14 17:15:37 -05:00
Isaac Connor 9d5772b517 Merge branch 'fix_multiserver_daemon_restarting' into storageareas 2018-11-14 13:02:30 -05:00
Isaac Connor 786ca5b22a implement remove service restart for zma. Use daemonControl instead of saving the monitor when restarting zmc 2018-11-14 13:00:19 -05:00